Hello, 

I am new to KQL, and struggling to find the best option to build the query for One successful login followed by X failed logins in Y time period for same user.

The scenario is user tried to do password guess for Y times and succeeded and a successful login was triggered and the whole scenario is time boxed. 

Any suggestion will be appreciated. 

I did find almost similar query "https://stackoverflow.com/questions/54041200/azure-log-analytics-monitoring-successful-sign-ins-foll... but this does not check if successful login came after failed. 

Thanks in advance.